Closed astrixj closed 4 years ago
@astrixj there isn’t and won’t be. Validating the ID Token is a required step.
If you wish to omit validating the signature the configuration of some providers (not common tho) in some scenarios (code flow only) allows for the use of JWS alg: none, in which case only claim validation would be performed.
@panva - not sure that I got it, where should I put the none
? is there example ? you mean in this point of code ?
const client = new oidc.Client({
client_id: ClientId,
token_endpoint_auth_method: 'client_secret_basic'
});
@astrixj this is a configuration you'd look for at your identity provider. If they provide it, you'd configure the client with id_token_signed_response_alg: 'none'
. Without the accompanied setting in your identity provider tho, this leads nowhere.
If I may ask, what's the reason why you MUST have the option to skip on a key assurance when it comes to validating IdP assertions?
Hi,
we are considering to use the library for oidc scenario , we made some test which working ok. my only question if there is an option somethow to omit the validate jwt token function? I know that this is not part of the spec, but we must have it, is there a way ?
Thanks